NCSAM Tip #5: Social Engineering Techniques and How to Avoid Them
Today’s NCSAM Tip is on recognizing and avoiding the most commonly used social engineering techniques. The root of the problem is simple enough: people are too trusting of content on the Internet. There is a long promoted perception of community, information sharing, free items, help, and friendliness on the Internet that has lulled many into a false sense of safety or security. Unfortunately, the reality is that just about every “con, scam, grift, hustle, bunko, swindle, flim flam, gaffle, sting or bamboozle” known is alive and well on the Internet. When you more closely examine the social engineering techniques that are used by criminals on the Internet, you see they are often the same or variations of con games and scams that go way back, and that many people are familiar with. This too gives people a false sense of security in that many believe they can identify these malicious attempts to exploit them. But, many tests of these beliefs have shown that most fail.
Instead of looking at the complicated technical details or various techniques themselves, it is easier to see the human factors they are attempting to exploit. Cisco SIO did some research of those human factors commonly exploited in 2010, and included the findings in the Cisco 2010 Annual Security Report. What we found was that regardless of the technical details or specific techniques and variations, the attackers commonly attempted to exploit a short list of human weaknesses:
1. Sex Appeal – It’s still a best seller; an attractive male or female, promises of increasing your appeal, other (attractive) people love this, and you will too! Some of the most prevalent current scams involve male performance enhancements pharmaceuticals, and attractive celebrities pictures are widely used to lure users to malicious or infected websites.
2. Greed – “Too good to be true”, is still true, even on the Internet. The advance-fee or 419 fraud is still in wide use and still effective. Although, the current and most successful fraud of this type is “free” anti-virus products (which of course are not what they claim). Other current frauds of this type involve fake pharmaceutical product offers that are incredibly inexpensive. Also mentioned in the Cisco 2010 Annual Security Report, the Money Mule criminal activity would fall in this category: “Make $$$ working from home!”, when what you are actually doing may be criminal and could result in arrest for transferring funds for criminals.
3. Vanity – You are special, right? Most of these frauds go along the lines of “You’ve been selected,” “Special offer just for [insert name],” “due to your association with [insert organization] you can receive,” or anything else that plays to you being special, select, or privileged. Honestly, most of us aren’t that “special,” and the only thing you have been selected for is a target, or mark.
4. Trust (Implied or Transient) – You know them, right? Implied trust relates to a long list of well-known and trusted names or products that usually appear in very official looking messages. Examples include fake product security updates, package shipping messages, electronic purchase receipts, or government agency notices that need your attention. Transient trust is the old game of six degrees of separation, or the friend of a friend, that are common on the social network websites. Either suggests you should trust this because you trust that; the name, the product or the person. You should not trust these.
5. Sloth – “It’s probably okay, don’t bother checking.” Users see warnings from security products, browsers, or email applications, which they too often ignore, cancel, or delete. This also applies to other relatively simple methods of verification, such as calling or instant messaging a sender to verify they sent an email message, calling a visitor’s company to verify a work order, or using bookmarked links instead of clicking links delivered in email messages or on social networks. We are often just too lazy to perform a simple check, and the criminals know it.
6. Compassion – Most people are compassionate, and this is not to say that is a bad thing. Unfortunately, the criminals know this too, and frequently target and exploit that compassion. Every major disaster, event, or big news item is almost immediately exploited by spam messages, malicious websites, malicious text or voice messages that solicit donations, or messages with links to malicious websites that launch attacks on your computer. Users must be very cautious around these types of events to ensure that they are visiting legitimate websites and organizations. The best way to do this is to go directly to the website or local office of their organization of choice to make donations or offer assistance, not through any promotions, advertisements, email messages, social network posts, or video posts.
7. Urgency – This is one of the “hooks” that is commonly used to leverage any of the above human weaknesses. Criminals will compound any of the weaknesses by adding a sense of urgency, time limit, or “emergency” to try and force the user into not thinking it through, taking time to make a check, and making a quick bad decision. Seldom is this ever actually the situation, more likely you are being manipulated. This should be an immediate warning sign or red flag that you are likely being exploited, and all the more reason not to rush.
There is one other that we didn’t include in the list, and is similar to the Urgency weakness, because it can combine with any of the others: curiosity. We have seen, in at least one recent data breach, an example where an individual’s email application and anti-virus product had quarantined the malicious message, and the user was warned that it was likely malicious, but they couldn’t resist. The user went to the quarantined folder and opened the message anyway. It was malicious, infected the system, and set in motion one of the biggest data breaches of this year.
As the National Cyber Security Awareness campaign puts it: “Stop.Think.Connect”. Know your weaknesses, recognize when someone is attempting to exploit those weaknesses, and stop and think before you connect. One of the most common analysis comments we use in cyber threat and vulnerability alerts is “requires user interaction.” Your cooperation and assistance is key to many of these threats and scams, and you can prevent many of them.